TL;DR
- App permissions are requests to access device hardware and data stores; granting them can give an app access to your location, microphone, contacts, camera, and more.
- UK GDPR requires app developers to have a lawful basis for processing personal data collected via permissions and to inform you of that purpose in their privacy notice.
- You can review and revoke permissions at any time through your device’s settings without uninstalling the app, though some features may stop working.
- Under UK GDPR, you have rights of access, rectification, erasure, and objection over personal data collected through app permissions.
- The ICO can investigate and take enforcement action against app developers who misuse permissions or breach UK GDPR data-processing requirements.
What App Permissions Are and Why They Matter
When you install an app on a smartphone, the operating system presents a series of prompts asking whether the app may access particular device capabilities or data stores. These prompts — permissions — act as a checkpoint between the app and the sensitive resources held on your device. A weather app requesting location access is a familiar example; a game requesting microphone access is a less obvious one. The permission system exists precisely because mobile devices hold a concentration of personal data — contacts, precise location history, photographs, messages — that would represent a significant privacy risk if all apps could access them without restriction.
Both Apple’s iOS and Google’s Android operating systems operate permission frameworks, though the exact categories and the granularity of control differ between platforms. From a UK legal standpoint, the permission itself is the technical mechanism; the legal framework governing what an app developer may do with data accessed through that permission is UK GDPR, as retained and modified by the Data Protection Act 2018. The ICO is the UK’s independent supervisory authority responsible for enforcing UK GDPR against organisations including app developers.
Common Permissions and What They Access
Permissions vary in their sensitivity and in the breadth of data they expose. Location permissions are among the most privacy-significant: “precise location” access uses GPS and network triangulation to determine your position to within metres, while “approximate location” uses network signals for a coarser estimate. Both can reveal patterns of behaviour — where you live, work, and travel — that are valuable to advertisers but potentially harmful if disclosed. Contacts permissions expose names, phone numbers, and email addresses belonging not just to you but to every person in your address book, raising questions about the privacy of third parties who have not themselves consented.
Microphone and camera permissions are particularly sensitive because they can capture real-time audio and visual data. Storage permissions on Android allow an app to read from or write to your device’s shared storage, potentially accessing files, photos, and documents. Phone permissions can expose your IMEI (device identifier), call logs, and your phone number. Each of these data categories qualifies as personal data under UK GDPR if it can identify you, either alone or in combination with other data, and is subject to the full force of data protection law.
| Permission | Data Accessed | Privacy Risk |
|---|---|---|
| Precise Location | GPS coordinates, movement history | High — reveals home, work, routines |
| Contacts | Names, phone numbers, email addresses of all contacts | High — third-party personal data |
| Microphone | Real-time audio, voice recordings | High — ambient capture risk |
| Camera | Photos, video, real-time visual data | High — biometric and locational data |
| Storage / Media | Files, photos, documents on device | Medium-High — broad file access |
| Phone / Device ID | IMEI, call logs, phone number | Medium — persistent device identifier |
UK GDPR and Lawful Basis for App Data Processing
UK GDPR (as set out in the Data Protection Act 2018 and the retained GDPR) requires that any processing of personal data has a lawful basis under Article 6. For most consumer apps, the most commonly cited bases are consent (Article 6(1)(a)) and legitimate interests (Article 6(1)(f)). Where consent is used, it must be freely given, specific, informed, and unambiguous. A pre-ticked box or a permission bundled into broad terms and conditions does not meet this standard.
App developers must provide a privacy notice that is accessible, written in plain language, and explains: what data is collected, why, on what lawful basis, how long it is retained, whether it is shared with third parties (and if so, who), and how to exercise your data rights. The ICO’s guidance on apps makes clear that where an app targets or is likely to be used by children, additional protections apply under the Children’s Code. If an app accesses special category data — health data, for example, accessed via a fitness tracker integration — a stricter lawful basis under Article 9 is required.
How to Review and Revoke App Permissions
On Android devices, permissions can be reviewed and changed by navigating to Settings, then Apps (or Application Manager on some versions), selecting the relevant app, and tapping Permissions. Each permission category is listed individually and can be toggled on or off. Android also provides a Privacy Dashboard (introduced in Android 12) that shows a timeline of which apps accessed sensitive permissions such as location, microphone, and camera over the previous 24 hours. On iOS devices, permissions are managed through Settings, then Privacy & Security, where each permission type lists all apps that have requested or been granted access.
Revoking a permission does not delete data that has already been collected and transmitted. If you wish to exercise your right to erasure over previously collected data, you must submit a separate request to the data controller (the app developer or the organisation behind the app). Most app developers provide a data deletion mechanism within the app settings or a contact route in their privacy notice. If the response is unsatisfactory, you can raise a complaint with the ICO, which has the power to investigate and impose corrective measures.
Your UK GDPR Rights Over App Data
UK GDPR grants a suite of rights that apply to personal data collected through app permissions. The right of access (Subject Access Request, or SAR) entitles you to receive a copy of the personal data held about you, free of charge, within one calendar month. The right to rectification allows you to have inaccurate data corrected. The right to erasure (“right to be forgotten”) allows you to request deletion of your data where the processing was based on consent and you withdraw that consent, or where the data is no longer necessary for the purpose for which it was collected.
Where processing is based on legitimate interests, you have the right to object; the data controller must then cease processing unless it can demonstrate compelling legitimate grounds that override your interests. The right to data portability applies where processing is based on consent or contract and is carried out by automated means: you can request your data in a structured, commonly used, machine-readable format. Complaints about UK GDPR violations by app developers can be submitted directly to the ICO via its online complaints form. The ICO has previously investigated and taken regulatory action against app developers and data brokers who misused location and identifier data.
What this means in practice
Fatima downloads a free recipe app that, during installation, requests access to her location, contacts, and microphone. She grants all three without reading the permissions prompts closely. Three weeks later, a friend mentions seeing targeted adverts for restaurants near Fatima’s home address. Fatima opens her phone’s Privacy Dashboard and sees the recipe app accessed her precise location seventeen times in a week — despite needing it only once for a local shop finder feature. She navigates to Settings, finds the app’s permissions, and restricts location access to “only while using” and disables contacts and microphone entirely. She then submits a Subject Access Request to the app developer asking what location data was collected and with whom it was shared, and separately exercises her right to erasure over the location history. The app developer has one month to respond.
Related Guides
How we verified this
This article draws on UK GDPR as retained in UK law under the Data Protection Act 2018, ICO guidance on apps and location data, ICO guidance on children’s privacy and the Age Appropriate Design Code, and GOV.UK guidance on your data protection rights.
Disclaimer: Kaeltripton.com is an independent UK editorial publisher. We are not regulated by Ofcom or the FCA and we do not sell or arrange mobile services, insurance, or financial products. This content is for general information only and is not legal, financial, or technical advice. Rules, prices, and operator policies change. Verify the current position with Ofcom, GOV.UK, the ICO, or your provider before acting. ICO registered ZC135439. Last reviewed: 2026-06-05.
Frequently Asked Questions
What do app permissions on a mobile mean?
App permissions are requests from an application to access specific device capabilities or data stores, such as your location, camera, microphone, contacts, or storage. The operating system presents these as prompts that you can accept or decline. Granting a permission gives the app the technical ability to read or use that data category; the legal rules governing what the developer may then do with that data are set by UK GDPR and enforced by the ICO.
Can apps access my mobile data without permission?
For sensitive data categories — location, camera, microphone, contacts, and storage — the operating system requires explicit permission before an app can access them. However, apps can access some information without a specific runtime prompt, including device model, operating system version, network connection type, and certain advertising identifiers. UK GDPR applies to the processing of all personal data regardless of whether a permission prompt was required.
How do I review app permissions on my phone?
On Android, go to Settings > Apps, select an app, and tap Permissions to see each granted or denied category. Android 12 and later also provide a Privacy Dashboard under Settings > Privacy showing recent permission usage. On iOS, go to Settings > Privacy & Security to see each permission type (location, contacts, microphone, camera) and which apps have been granted access. You can change any permission at any time without uninstalling the app.
What GDPR rights do I have over app data?
Under UK GDPR you have the right to access a copy of your data (Subject Access Request), the right to have inaccurate data corrected, the right to request erasure where processing was consent-based and you withdraw consent, the right to object to processing based on legitimate interests, and the right to data portability for consent- or contract-based processing. Requests must be responded to within one calendar month. Unresolved complaints can be submitted to the ICO.
How do I stop apps from tracking my location?
The most direct method is to revoke the location permission for the app via your device settings (Settings > Privacy & Security > Location Services on iOS; Settings > Apps > [App] > Permissions > Location on Android). You can often restrict access to “only while using the app” rather than “always”. Additionally, you can disable advertising IDs on both platforms, which limits cross-app tracking. For data already collected, submit an erasure request to the data controller under UK GDPR.
